Beginning March 2, 2026, Zoom requires the use of an On Behalf Of (OBF) token for Meeting SDK (MSDK) apps joining meetings hosted by external accounts. For use cases requiring continuous data access or persistent recording, use Real Time Media Streams (RTMS) for best results.
(Originally, we were targeting February 23, but we heard your feedback and moved the enforcement date out.)
To retrieve an OBF token using the REST API, implement the OAuth flow with the user:read:token scopes.
New authentication requirements
| App action | Required tokens | Notes |
|---|---|---|
| Start a Zoom meeting or webinar | JWT + ZAK token | The ZAK token is associated with a Zoom user. |
| Join a Zoom meeting or webinar within the app owner’s account as a participant or non-login user | JWT | Only the JWT is needed because the meeting or webinar is within the app owner’s account and the app is not the host. |
| Join a Zoom meeting or webinar as a user | JWT + ZAK token | The ZAK token is associated with a Zoom user. |
| Join a Zoom meeting or webinar as a user’s meeting app | JWT + OBF token | OBF tokens can only be used for joining. They require an associated user, and that user must already be in the meeting for the join to succeed. |
Frequently Asked Questions (FAQ)
General Questions
Q: When does enforcement of the OBF token requirement begin?
A: Enforcement begins March 2, 2023. Please plan to have attribution measures in place by February 23, 2026. To remain compliant, MSDK apps must be on the SDK minimum version, 5.17.5 or later. Beginning with version 6.6.10, released November 2025, the MSDK includes improved error messaging for OBF-related issues.
Q: Can an OBF token be obtained from any meeting participant if the meeting is created by someone outside my organization?
A: No. OBF tokens can only be obtained for participants who have authorized the app via OAuth, and who are actively present in the meeting. The SDK app cannot join the meeting or webinar until that authorized user joins.
Q: Will the OBF token requirement apply to all SDK versions, including older ones?
A: Yes, for versions as early as 5.17.5, our minimum SDK version as of that date. Starting March 2, 2026, enforcement applies to all MSDK apps.
Q: Can my app use multiple OBF tokens at the same time to maintain continuous recording if its authorized user leaves?
A: No. Each SDK session can use only one OBF token at a time, and it is tied to a specific user. When that user leaves, the session ends and must rejoin with another authorized token.
Q: Can the Meeting SDK app continue recording when the authorized user leaves the meeting?
A: No. The SDK session is tied to the presence of the authorizing user, so the session ends when that user leaves the meeting. For continuous or automated recording, use RTMS.
Q: Are meeting hosts required to belong to the same Zoom account as the SDK app?
A: No. The OBF requirement is specifically for apps that join meetings outside of their own account, meaning the host is external to the app. However, a participant in the meeting must have authorized the app via OAuth to generate the required OBF token.
Q: What is the best alternative for continuous or automated recording use cases?
A: Use RTMS, which supports persistent or automated recording.
Q: Can RTMS support continuous recording even if the host leaves the meeting or webinar?
A: Yes. RTMS allows continuous streaming independent of participant presence, as long as the host has authorized the app.
Q: What happens if a participant joins late or declines authorization? Can the SDK app still join?
A: The SDK app can’t join until an authorized participant joins.
Q: Can legacy note-taking apps remain compliant without migrating to RTMS?
A: Yes. To remain compliant, legacy apps must either adopt OBF token authorization flow or migrate to RTMS before March 2, 2026.
Understand the difference between ZAK and OBF tokens
Q: What is the difference between ZAK tokens and OBF tokens?
A: The key difference is who or what the token represents.
- ZAK tokens represent a person. Use them when the MSDK app joins a meeting or webinar on behalf of an authenticated user.
- OBF tokens represent an app. Use them when the MSDK app joins a meeting as an automated participantlike a recording or note-taking app).
Q: Why do developers need to use OAuth when working with ZAK tokens?
A: ZAK tokens are tied to a specific Zoom user account. To generate a valid ZAK token, you must authorize your MSDK app via OAuth so that the app can securely access their account and act on your behalf. Without this OAuth connection, the app can’t obtain a ZAK token or join meetings as your user.
Even if your MSDK app already includes the correct ZAK token scopes, each user must still connect their Zoom account to your app via OAuth before a token can be issued. Skipping this step prevents your MSDK app from obtaining valid ZAK tokens and successfully joining meetings.
Q: Why is this OAuth requirement often overlooked?
A: Many developers embed Zoom functionality directly into their websites, where users may never visit the Zoom App Marketplace or explicitly install a given app. In these cases, the need for an OAuth connection is not immediately obvious from the technical documentation, but it is required to generate a ZAK token.
Q: What should developers building embedded experiences be aware of?
A: If your app MSDK uses ZAK tokens, you must design a user flow that includes OAuth authorization. This ensures that each user securely connects their Zoom account to your app before joining or hosting meetings through the SDK. For automated or bot-like use cases that don’t need user authorization, use OBF tokens instead.